wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
Bluetooth: hci6: Entering manufacturer mode failed (-110)
==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x1b8/0x1c0 net/bluetooth/hci_core.c:2594
Read of size 8 at addr ffff8880b257f198 by task kworker/1:0/19

CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Workqueue: events hci_cmd_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 hci_cmd_timeout+0x1b8/0x1c0 net/bluetooth/hci_core.c:2594
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 8151:
 kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
 skb_clone+0x151/0x3d0 net/core/skbuff.c:1293
 hci_cmd_work+0x18f/0x360 net/bluetooth/hci_core.c:4416
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 8170:
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x7f/0x260 mm/slab.c:3765
 kfree_skbmem+0xc1/0x140 net/core/skbuff.c:595
 __kfree_skb net/core/skbuff.c:655 [inline]
 kfree_skb+0x127/0x3d0 net/core/skbuff.c:672
 hci_dev_do_open+0xaf0/0x1260 net/bluetooth/hci_core.c:1522
 hci_power_on+0x117/0x530 net/bluetooth/hci_core.c:2151
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff8880b257f0c0
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 216 bytes inside of
 232-byte region [ffff8880b257f0c0, ffff8880b257f1a8)
The buggy address belongs to the page:
page:ffffea0002c95fc0 count:1 mapcount:0 mapping:ffff8880b5b8fd80 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002a7be88 ffffea00025aef48 ffff8880b5b8fd80
raw: 0000000000000000 ffff8880b257f0c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b257f080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880b257f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b257f180: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff8880b257f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b257f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================